Article by Bram Patelski of Ordina Netherlands
Last week, a vulnerability in Gitlab was discovered. This concerns a vulnerability in Gitlab versions lower than these versions released on February 25:
< 14.8.2 < 14.7.4 < 14.6.5
The NCSC has issued the following advisory for this: https://www.ncsc.nl/actueel/advisory?id=NCSC-2022-0139
If you are using Gitlab (possibly at the customer), consider updating it as soon as possible to the most recent version. Since the risks have a significant impact, it is important that this update happens as soon as possible.
The updates and instructions can be found in the security advisory from Gitlab itself: https://about.gitlab.com/releases/2022/02/25/critical-security-release-gitlab-14-8-2-released/
The vulnerability is in the Runner registration token disclosure through Quick Actions and is estimated at a CVSS score 9.6.
The chance of abuse is Medium, the damage / impact is estimated at High and consists of: DoS: Denial of Service, Bypassing security measures, RCE: Remote Code Execution and Access to sensitive data.
If your organization has additional measures in place, such as a VPN required to access on-premise / self-managed Gitlab environments, this provides an additional layer of defense (Defense in Depth). Nevertheless, it remains important to implement these updates as soon as possible.
If you need any assistance or have any questions about this vulnerability or cybersecurity in general, feel free to contact us.